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<doc> 

<regexp-query> 

<name>Possible SGID Exploit</name> 
<properties> 

<priority>10</priority> 
</properties> 
<pattern> 

<next> 



wv, • <line>.*exec args=. *pid=\ ( (\d+) \) ; ppid=\ (\d+\) ; uid«\(\d+\)- 

\(\d+\); gid-\([l-9]\d*\); egid=\ (0\) . *</line> 

</next> 

<next> 

<line>.*args-\(I\-\w\\\/ ] + \); pid=\(\d+\); ppid-\ . *</i 

</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>.*args-\(([\-\w\\\/ ] +) \) . *ppid«\ . *</ii ne > 
<action> 

<highlight/> 

<delete/> 

<varop var= n agg">%l%</varop> 

</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Possible SGID Exploit: %agg%</text> 
</annotation> 
</regexp-query> 
</doc> 



<doc> 

<regexp-query> 

<name>Possible SUID Exploit</name> 
<propert ies> 

<priority>10< /priority> 
</properties> 
<pattern> 

<next> 

<line>.*exec args=. *pid=A ( (\d+) \) ; ppid=\ ( \d+\) ; uid=\ ( [ 1-9] \d*\) ; 
euid=\(0\) .*</line> 
</next> 
<next> 

<line>.*args=\{.+\); pid=\ (\d+\) ; ppid-\ . *</line> 

</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>.*args=\(.+)\); pid=\(\d+\); ppid-\ . *</line> 
<action> 

<highlight/> 

<delete/> 

<varop var="agg">%l%</varop> 
</action> 

</procmatch> 

<annotation> 

<text>Possible SUID Exploit: %aggl</text> 

</annotation> 
</regexp-query> 
</doc> 




<doc> 

<regexp-query> 

<name>All Processes</name> 
<properties> 

<priority>10< /priori ty> 
</properties> 
<pattern> 

<next> 

<line>. 'proclog. *args=\ ( { (\-\ . \w\\\/ ] + ) \) . *</line> 
</next> 

Q </pattern> 

y3 <procmatch> 

ffk- <actionpair> 

j» <line>.*args=\(([\-\.\w\\\/ ] + ) \) . + </line> 

A <action> 

<highlight/> 

<delete/> 

l=sl <varop var= n agg">H%</varop> 

Q </action> 
s </actionpair> 
Q </procmatch> 

<annotation> 

<text>Process started: %agg%</text> 
</annotation> 
j= </regexp-query> 
Q </doc> 



SI 




<doc> 

<regexp-query> 

<name>Find Processes. . .</name> 
<properties> 

<priority>10</priority> 
</properties> 
<args> 

<args> . +</args> 
Q <pid>\d+</pid> 
t_Q <ppid>\d+</ppid> 

<uid>\d+</uid> 
^ <euid>\d+</euid> 
T" <gid>\d+</gid> 

<egid>\d+</egid> 
N! </args> 
O <pattern> 
Q <next> 

3 , <line>. *args=A (%args%\) ; pid=\ ( %pid%\ ) ; ppid=\ (%ppid%\) ; 

Q uid=\ (%uid%\) ; euid=\ (%euid%\) ; gid=\ (%gidl\) ; egid=\ (%egid%\) . +</line> 

~s </next> 
_T~ </pattern> 
J^" <procmatch> 

<actionpair> 

p <line>.*args=\({.+)\) ; pid.+</line> 

Mr <action> 

<highlight/> 

<delete/> 

<varop var-°agg n >%l%</varop> 
</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Process started: %agg%</text> 
</annotation> 
</regexp-query> 
</doc> 



<doc> 

<regexp-query> 

<name>All Shell-spawned Processes</name> 
<properties> 

<priority>10< /priori ty> 
</properties> 
<pattern> 

<next> 

<line>. *exec args=\ (-sh\) ; pid=\ ( (\d+) \) . *</line> 

</next> 

<next> 



<line>.*args=\( ([\-\w\\\/ ] + ) \) . *ppid=\ .*</line> 
</next> 



<line>.*args=\{ ([\-\w\\\/ ]+)\) . *ppid=\ (%1%\) . *</l 
<action> 

<highlight/> 

<varop var="agg">%l%</varop> 
</action> 



</actionpair> 
</procmatch> 
<annotation> 

<text>Executed from a shell: %agg%</text> 
</annotation> 
</regexp-query> 
</doc> 



</pattern> 
<procmatch> 



<actionpair> 





<doc> 

<regexp-query> 

<name> Incoming Connections</name> 
<properties> 

<priority>10</priority> 
</properties> 
<pattern> 

<next> 

<line>. ^incoming connection f rom=\ ( . +\) . *</line> 
</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>. ^incoming connection f rom=\ ({.+):(.+) \) 
to=\({.+) : (,+)\) .*</line> 
<action> 

<highlight/> 
<delete/> 

<varop var= "f romip">%l%</varop> 
<varop var= "f romport ">%2%</varop> 
<varop var= "toip">%3%</varop> 
<varop var= "toport">%4%</varop> 
</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Incoming Connection From IP: %fromip% (on port: %fromport%) To 
IP: %toip% (on port: %toport%) </text> 

</annotation> 
</regexp-query> 
</doc> 



<doc> 

<regexp-query> 

<name>Keystrokes Entered</name> 
<properties> 

<priority>10</priority> 
</properties> 
<pattern> 

^ <next> 

y <line>.*read stream data, id=\((\d+)\) data-\ ( . +\ ) . *</line> 

^1 </next> 

€0 <next fromprev="l"> 

£ <line>>read stream data, id=\{%l%\) data=\ ( . +\\0 [ad4] . *\) . *</line> 

</next> 

%j </pattern> 

<procmatch> 

^ <actionpair> 

W <line>.*read stream data, id-\(%l%\) data=\ ( ( . +) \) . *</line> 

s <action> 

Q <highlight/> 

Sj <delete/> 

fll <varop var="agg n >%l%</varop> 

l~ % </action> 
.J! </actionpair> 
7^ </procmatch> 
r 5 * 5 <annotation> 

<text>Keystrokes Entered: %agg%</text> 
</annotation> 
</regexp-query> 
</doc> 



cdoc> 

cregexp-query> 

<name>Screen Output</name> 

<properties> 

<priority>10</priority> 

</properties> 
<pattern> 

<next> 

<line>.*write stream data, id=\((\d+)\) data=\ ( .+\) .*</lme> 
</next> 

<next fromprev= M l"> 

<line>. *write stream data, id=\(%l%\) 
data=\(.*\\0[ad46] ,*\) .*</line> 

</next> 
</pattern> 
<procraatch> 

<actionpair> t 4 v t A . 

<line>. 'write stream data, id=\(%l%\) data-\ ( ( . +) \) . *</line> 

<action> 

<highlight/> 
<delete/> 

<varop var="agg">%l%</varop> 
</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Output to screen: %agg%</text> 

</annotation> 
</regexp-query> 
</doc> 




<doc> 

<regexp-query> 

<name>Find Monitored</name> 
<properties> 

<priority>10</priority> 

</properties> 
<args> 

<f ile_name> . +</f ile_name> 
<pid>\d+</pid> 
</args> 
<pattern> 

<next> 

<line>.*monitored file opened name=\ (%f ile_name%\) 
pid=\(%pid%\) . *</line> 
</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>. ^monitored file opened name=\ ( ( . +) \) 

pid=\((.+)\) -*</line> 
y <action> 
y <highlight/> 
=4 <delete/> 

<varop var="filename">%l%</varop> 
^ <varop var="pidvar">%2%</varop> 

</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>File Opened: %filename% (from pid: %pidvar%) </text> 
</annotation> 
</regexp-query> 
</doc> 



